Doc: AssemblyBuilder require fully trusted environment with trusted input

Author: buyaa-n

xml/System.Reflection.Emit/AssemblyBuilder.xml

@@ -76,7 +76,14 @@
   </Attributes>
   <Docs>
     <summary>Defines and represents a dynamic assembly.</summary>
-    <remarks>For more information about this API, see <see href="/dotnet/fundamentals/runtime-libraries/system-reflection-emit-assemblybuilder">Supplemental API remarks for AssemblyBuilder</see>.</remarks>
+    <remarks>For more information about this API, see <see href="/dotnet/fundamentals/runtime-libraries/system-reflection-emit-assemblybuilder">Supplemental API remarks for AssemblyBuilder</see>.
+      <format type="text/markdown">
+<![CDATA[
+> [!WARNING]
+> `AssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. For example untrusted input that directly affects the produced IL written to an assembly that later loaded and executed, such input can do whatever it wishes.
+]]>
+      </format>
+    </remarks>
     <example>
       <format type="text/markdown"><![CDATA[
 The following code example shows how to define and use a dynamic assembly. The example assembly contains one type, `MyDynamicType`, that has a private field, a property that gets and sets the private field, constructors that initialize the private field, and a method that multiplies a user-supplied number by the private field value and returns the result.

xml/System.Reflection.Emit/ILGenerator.xml

@@ -84,6 +84,15 @@
 
  MSIL is used as input to a just-in-time (JIT) compiler.
 
+> [!WARNING]
+> There are no restrictions, other than basic validation for ILGenerator APIs that used for producing method IL. If untrusted input is used for producing IL:
+
+> - IL and metadata can contain secrets provided by the consumer.
+> - IL can be invalid such as not having a balanced push vs. pop opcodes, or invalid operands for a given opcode.
+> - Can contain any code that may, for example, deadlock, have infinite stack recursion, or have an infinite loop.
+> - IL can load and execute code on any other reachable assembly.
+
+> Such code can do whatever it wishes when the method is loaded and executed. To restrict such vulnerabilities `ILGenerator` require a fully trusted environment with trusted input.
  ]]></format>
     </remarks>
   </Docs>

xml/System.Reflection.Emit/PersistedAssemblyBuilder.xml

@@ -25,7 +25,14 @@
   </Attributes>
   <Docs>
     <summary>Provides an AssemblyBuilder implementation that can persist assembly to a disk or stream.</summary>
-    <remarks>To be added.</remarks>
+    <remarks>For more information about this API, see <see href="/dotnet/fundamentals/runtime-libraries/system-reflection-emit-persistedassemblybuilder">Persisted dynamic assemblies in .NET</see>.
+      <format type="text/markdown">
+<![CDATA[
+> [!WARNING]
+> `PersistedAssemblyBuilder` APIs require a fully trusted environment with trusted input, similarly as other technologies such as compilers. There are no restrictions other than basic validation for generated IL, for member name, count and associated metadata such as custom attributes, that the AssemblyBuilder can contain. For example untrusted input that directly affects the produced IL written to an assembly that later loaded and executed, such input can do whatever it wishes.
+]]>
+      </format>
+    </remarks>
   </Docs>
   <Members>
     <Member MemberName=".ctor">